summaryrefslogtreecommitdiff
path: root/system/sharutils/CVE-2018-1000097.patch
diff options
context:
space:
mode:
authorLuis Ressel <aranea@aixah.de>2019-07-14 21:11:26 +0200
committerLuis Ressel <aranea@aixah.de>2019-07-14 21:11:51 +0200
commit7d90fa75663b3b4aba9186a5488ddec6bf471f1a (patch)
tree9133e3d3670e7cbad18d9eb164ef2d6461b98c87 /system/sharutils/CVE-2018-1000097.patch
parent1891df1128df59e1ef1e057cc2a84d968e288698 (diff)
downloadpackages-7d90fa75663b3b4aba9186a5488ddec6bf471f1a.tar.gz
packages-7d90fa75663b3b4aba9186a5488ddec6bf471f1a.tar.bz2
packages-7d90fa75663b3b4aba9186a5488ddec6bf471f1a.tar.xz
packages-7d90fa75663b3b4aba9186a5488ddec6bf471f1a.zip
system/easy-kernel*: (Partly) sync kernel configs
This is an attempt at syncing the kernel configs of our different arches. So far, only the 'Networking support/Networking options', 'Filesystems', 'Security Options' and 'Cryptographic API' sections have been handled, since those require much less knowledge about some of the more exotic hardware we support than some of the other sections. Some notable changes: Network * Enable IPsec, miscellaneous tunnels, and the diag interfaces for all socket families. * Enable policy routing (for wireguard). * Make the CUBIC TCP congestion control algorithm the default everywhere, provide a few other common choices. * Support FQ_CODEL. We may want to support further QoS features. * Disable support for PF_KEY sockets, which shouldn't be required by our IPsec userland tools. * Enable most netfilter features, except for arptables/ebtables/nfacct/ nfqueue/ipset, whose userland tools we don't provide yet, and a few other very specialized options. Filesystems * Build everything except for ext4, iso9660, vfat and squashfs as modules. * Use the ext4 driver for ext2 filesystems. * Disable the kernel automounter, which is currently only enabled on ppc32 and aarch64. Security * Only grant root access to dmesg by default; this can be overriden via a sysctl. * Support Yama; it doesn't do anything unless explicitly enabled by a sysctl, and may be useful to some users. * Disable AppAarmor, which is currently only enabled on pmmx and x86_64. Crypto * Disable a lot of uncommon ciphers which are unlikely to be used by anything. * Build all crypto code as modules (where possible); this means users with a dm-crypt-encrypted root filesystem now need to provide the appropriate kernel modules in their initramfs images on all arches. * Disable support for dedicated cryptographic coprocessors; we are not in a position to evaluate their security and performance benefits or disadvantages. Other * Allow serial consoles to be used as the kernel console on all arches; this is important for VMs.
Diffstat (limited to 'system/sharutils/CVE-2018-1000097.patch')
0 files changed, 0 insertions, 0 deletions